scanner

Aqua Security Scanner Helm Chart

These are Helm charts for installation and maintenance of Aqua Container Security Platform Scanner CLI.

Contents

• Aqua Security Scanner Helm Chart
  • Contents
  • Prerequisites
    • Container Registry Credentials
    • Scanner User Credentials
  • Installing the Chart
    • Installing Aqua Scanner from Helm Private Repository
    • (Optional) Configure SSL communication with Aqua Server
    • (Optional) Configure mTLS communication with offline Aqua CyberCenter in air-gap environment
  • Configurable Variables
    • Scanner
  • Issues and feedback

Prerequisites

Container Registry Credentials

Link

Scanner User Credentials

Before installing scanner chart the recommendation is to create user with scanning permissions, Link to documentations

Installing the Chart

Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repo or you can add our helm private repository (https://helm.aquasec.com)

Installing Aqua Scanner from Helm Private Repository

• Add Aqua Helm Repository

helm repo add aqua-helm https://helm.aquasec.com
helm repo update

• Check for available chart versions either from Changelog or by running the below command

helm search repo aqua-helm/scanner --versions

• Install Aqua

helm upgrade --install --namespace aqua scanner aqua-helm/scanner --set imageCredentials.username=<>,imageCredentials.password=<>,user=<>,password=<>,scannerToken=<>

(Optional) Configure SSL communication with Aqua Server

To enable SSL communication from the Scanner to the Aqua Server. Perform these steps:

1. enable serverSSL.enabled to true in values.yaml or use --set 'serverSSL.enabled=true' for inline argument

2. You need to encode the certificate into base64 for server.crt using this command:

   cat <file-name> | base64 | tr -d '\n'

3. Provide the certificates previously obtained in the fields of the serverSSL.serverSSLCert in values.yaml or use --set serverSSL.serverSSLCert=<cert base64 value>

(Optional) Configure mTLS communication with offline Aqua CyberCenter in air-gap environment

1. To establish mTLS with offline cyberCenter, create secret using the below command kubectl create secret generic aqua-grpc-scanner --from-file=<rootCA.crt> --from-file=<aqua_scanner.crt> --from-file=<aqua_scanner.key> -n aqua
2. Enable cyberCenter.mtls.enabled to true in values.yaml
3. Add previously created secret name cyberCenter.mtls.secretName in values.yaml
4. Add respective certificate file names to cyberCenter.mtls.publicKey_fileName, cyberCenter.mtls.privateKey_fileName, cyberCenter.mtls.rootCA_fileName(Add rootCA if certs are self-signed)

AQUA_PRIVATE_KEY, AQUA_PUBLIC_KEY, AQUA_ROOT_CA(if using self-signed certs), OFFLINE_CC_MTLS_ENABLE in scanner_configmap.yaml and uncomment aqua-grpc-scanner certs volume mount and volumes block from scanner-deployment.yaml file before applying the kubectl commands.

Before installing scanner chart the recommendation is to create user with scanning permissions, Link to documentations

Configurable Variables

The following table lists the configurable parameters of the Console and Enforcer charts with their default values.

Scanner

Parameter	Description	Default	Mandatory
imageCredentials.create	Enables to create image credentials	false	NO
imageCredentials.name	If imageCredentials.create is enabled sets imageCredentials name		NO
imageCredentials.registry	The registry that the credentials will be created for. mandatory if imageCredentials.create is enabled	registry.aquasec.com	NO
imageCredentials.username	The username for the registry mandatory if imageCredentials.create is enabled		NO
imageCredentials.password	The password for the registry mandatory if imageCredentials.create is enabled		NO
dockerSocket.mount	Boolean parameter if to mount docker socket	unset	NO
dockerSocket.path	Docker socket path	/var/run/docker.sock	NO
platform	Specify the Kubernetes (k8s) platform acronym, allowed values are: aks, eks, gke, openshift, tkg, tkgi, k8s, rancher, gs, k3s, mke.	unset	YES
directCC.enabled	Scanner talk to the cyberCenter directly	yes	NO
serviceAccount.create	Enable to create serviceAccount if not exist in the Kubernetes	false	NO
serviceAccount.name	Kubernetes service-account name either existing one or new name if create is enabled	aqua-sa	YES
server.scheme	Scheme for server to connect	http	NO
server.serviceName	Service name for server to connect	aqua-console-svc	YES
server.port	Service port for server to connect	8080	YES
serverSSl.enable	To establish SSL communication with Aqua Server	false	NO
serverSSl.createSecret	Change to false if you're using existing server certificate secret	true	YES if serverSSl.enable is set to true
serverSSL.secretName	Secret name for the SSL cert	scanner-web-cert	YES if serverSSl.enable is set to true
serverSSL.cert_file	If serverSSL createSecret enable to true, add base64 value of the the server public certificate or add filename of certificate if loading from custom secret	Nill	YES if serverSSl.enable is set to true
cyberCenter.mtls.enabled	If require secure channel communication	false	NO
cyberCenter.mtls.secretName	Certificates secret name	nil	NO
cyberCenter.mtls.publicKey_fileName	Filename of the public key eg: aqua_scanner.crt	nil	YES if cyberCenter.mtls.enabled is set to true
cyberCenter.mtls.privateKey_fileName	Filename of the private key eg: aqua_scanner.key	nil	YES if cyberCenter.mtls.enabled is set to true
cyberCenter.mtls.rootCA_fileName	Filename of the rootCA, if using self-signed certificates eg: rootCA.crt	nil	NO if using self-signed certificates for mTLS
image.repository	The docker image name to use	scanner	YES
image.tag	The image tag to use.	2022.4	YES
image.pullPolicy	The kubernetes image pull policy.	IfNotPresent	NO
user	Scanner username	unset	YES
password	Scanner password	unset	YES
nameOverride	Scanner name	aqua-scanner	NO
scannerUserSecret.enable	Change it to true for loading scanner user, scanner password from secret	false	YES If password is not declared
scannerUserSecret.secretName	Secret name for the scanner user, scanner password secret	null	YES If password is not declared
scannerUserSecret.userKey	Secret key of the scanner user	null	YES If password is not declared
scannerUserSecret.passwordKey	Secret key of the scanner password	null	YES If password is not declared
scannerTokenSecret.enable	Change it to true for loading the scanner token from secrets	false	YES If scannerToken and username and password are not declared
scannerTokenSecret.secretName	Secret name for the scanner token secret	null	YES If scannerToken and username and password are not declared
scannerTokenSecret.tokenKey	Scanner token key name	null	YES If scannerToken and username and password are not declared
replicaCount	Replica count	1	NO
resources	Resource requests and limits	{}	NO
enableLivenessProbe	LivenessProbe	false	true
nodeSelector	Kubernetes node selector	{}	NO
tolerations	Kubernetes node tolerations	[]	NO
affinity	Kubernetes node affinity	{}	NO
podAnnotations	Kubernetes pod annotations	{}	NO
extraEnvironmentVars	Is a list of extra environment variables to set in the scanner deployments.	{}	NO
extraSecretEnvironmentVars	Is a list of extra environment variables to set in the scanner deployments, these variables take value from existing Secret objects.	[]	NO
rbac.create	To create default cluster-role and cluster-role bindings according to the platform	true	NO
clusterRole.roleRef	Cluster role reference name for cluster roleBinding	unset	NO
extraVolumes	extraVolumes is a list of volumes that can be mounted inside the KubeEnforcer deployment	[]	NO
extraVolumeMounts	extraVolumeMounts is a list of extra volumes to mount into the container's filesystem of the KubeEnforcer deployment	[]	NO

Issues and feedback

If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.